[arch-general] Arch Linux and security - it needs some work
Brendan Long
korin43 at gmail.com
Mon Feb 1 00:26:49 EST 2010
On 01/31/2010 09:18 PM, Nilesh Govindarajan wrote:
> On 01/31/2010 08:31 PM, Ananda Samaddar wrote:
>> [snip]
>>
>
> Key signing is not required for us I think. Because Arch people are
> the first to release package updates. It is tested properly and is
> given in .tar.gz archives. Even if a byte is altered in the archive
> then its md5sum would change so pacman will complain.
>
Close, but what about the package list? The proposals I've seen have
mostly been to just sign the package list, since the md5 takes care of
everything else.
More information about the arch-general
mailing list